14cc78b9df103a5e4ab62122a94b116a0fb3d37a7de1569fabd4f91aede223ea

Analysis

max time kernel
140s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 04:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Photo.To.Color.Sketch.v6.51/PhotoToColorSketch_setup.exe
Size

956KB
MD5

a6ac663d63fef8ccd70a3a2c685ca9ba
SHA1

f372deb087628c2d2c33aa779d6c4db9640e886e
SHA256

8fb16de8b15b42005ee0ed96bd2be283082ef74ce9d878dc31abe4610074efee
SHA512

bbc40a08fdb14686bc1e27bd49340caefa3c0edf4bdf2cd92dd53ea6892c9aa2aacddcc16df97c4d513507095d8e03bc55449298957a42d1bad7b3fa931490ff
SSDEEP

24576:jfOyq3maWWu6/qxMFFUmNdBeQPtIbMEy28CmjtOj:jGJ2aVu6KyjUQtIbF4G

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2160	is-2LUD8.tmp

Loads dropped DLL 3 IoCs

pid	Process
2180	PhotoToColorSketch_setup.exe
2160	is-2LUD8.tmp
2160	is-2LUD8.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2160	is-2LUD8.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2160	2180	PhotoToColorSketch_setup.exe	14
PID 2180 wrote to memory of 2160	2180	PhotoToColorSketch_setup.exe	14
PID 2180 wrote to memory of 2160	2180	PhotoToColorSketch_setup.exe	14
PID 2180 wrote to memory of 2160	2180	PhotoToColorSketch_setup.exe	14
PID 2180 wrote to memory of 2160	2180	PhotoToColorSketch_setup.exe	14
PID 2180 wrote to memory of 2160	2180	PhotoToColorSketch_setup.exe	14
PID 2180 wrote to memory of 2160	2180	PhotoToColorSketch_setup.exe	14

C:\Users\Admin\AppData\Local\Temp\is-CVJNL.tmp\is-2LUD8.tmp
"C:\Users\Admin\AppData\Local\Temp\is-CVJNL.tmp\is-2LUD8.tmp" /SL4 $30130 "C:\Users\Admin\AppData\Local\Temp\Photo.To.Color.Sketch.v6.51\PhotoToColorSketch_setup.exe" 744379 52224
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:2160

C:\Users\Admin\AppData\Local\Temp\Photo.To.Color.Sketch.v6.51\PhotoToColorSketch_setup.exe
"C:\Users\Admin\AppData\Local\Temp\Photo.To.Color.Sketch.v6.51\PhotoToColorSketch_setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-CVJNL.tmp\is-2LUD8.tmp

Filesize
92KB

MD5
6204c56eaa2c5035fea9db718d4f79e3

SHA1
85648b8d791f76c4cd1bd86960475ef860143681

SHA256
bd1d511a09b463d3e55e64aa8f4cc6fc79997e5b095487a7bbabd1990a2ca73d

SHA512
89ff57c4b30cb35413505a0eb4cfa6786c74015b79e6e05b19b44338d35b4a05c753170515172be6dd7a6230224cfc39bc61741354bf3882045538d732d2c9c2

Download Submit
memory/2160-12-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2160-18-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2160-21-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2180-2-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2180-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2180-17-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download